Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Valid

Reported on

Dec 12th 2021


Description

Stored XSS via File upload with format .xml in Product module. When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary JavaScript code that was injected into attachment before.

Proof of Concept

<?xml version="1.0"?>
<html:html xmlns:html='http://www.w3.org/1999/xhtml'>
<html:script>
alert(document.domain);
</html:script>
</html:html>

Steps To Reproduce

1.After login, navigate Inventory -> Product and create/edit any product.
2.While editing a product, upload a malicious XML file in product image.
3.Click Choose file and choose the XSS.xml and then click Save.
4.After uploading successfully, copy the link of the image and open it in a new tab.

The XSS will trigger when the attachment is opened in a new tab.

Video POC

https://drive.google.com/file/d/1vsyRMt-8VuTUFnFw6YBfjMlFw6L-v5m5/view?usp=sharing

Note

The link to the image will look like this: https://demo.corebos.com/storage/2021/December/week2/43906_XSS.xml

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 months ago
Devendra Bhatla modified their report
2 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
Joe Bordes validated this vulnerability a month ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on f7c848 a month ago
Joe Bordes has been awarded the fix bounty
KhanhCM
a month ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

Devendra Bhatla
a month ago

Researcher


@chau Minh Khanh, Please have some shame, there is no content which i have copied, dont have some better job, come to india i will give give you a great job here. People like you are shame on society, whose job is to just comment here and there with no job.